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£N| Abstract. We consider the extensions of modal transition systems (MTS) , 

» , namely Boolean MTS and parametric MTS and we investigate the re- 

O | finement problems over both classes. Firstly, we reduce the problem of 

.^^ modal refinement over both classes to a problem solvable by a QBF solver 

and provide experimental results showing our technique scales well. Sec- 
ondly, we extend the algorithm for thorough refinement of MTS provid- 
ing better complexity then via reductions to previously studied problems. 
__ Finally, we investigate the relationship between modal and thorough re- 

/"*S finement on the two classes and show how the thorough refinement can 

^ be approximated by the modal refinement. 

l_i 1 Introduction 



Due to the ever increasing complexity of software systems and their reuse, 
qq component-based design and verification have become crucial. Therefore, having 

[ — a specification formalism that supports component-based development and step- 

04 wise refinement is very useful. In such a framework, one can start from an initial 

^~) specification, proceed with a series of small and successive refinements until even- 

tually a specification is reached from which an implementation can be extracted 
directly. In each refinement step, we can replace a single component of the cur- 
rent specification with a more concrete/implementable one. The correctness of 
. . such a step should follow from the correctness of the refinement of the replaced 

component, so that the methodology supports compositional verification. 

Modal transition systems (MTS) were introduced by Larsen and Thom- 
sen [LT88J in order to obtain an operational, yet expressive and manageable 
specification formalism meeting the above properties. Their success resides in 
natural combination of two features. Firstly, it is the simplicity of labelled tran- 
sition systems, which have proved appropriate for behavioural description of 
systems as well as their compositions; MTS as their extension inherit this ap- 
propriateness. Secondly, as opposed to e.g. temporal logic specifications, MTS 
can be easily gradually refined into implementations while preserving the de- 
sired behavioural properties. In this work, we focus on checking the refinement 
between MTS and also their recent extensions. 

The formalism of MTS has proven to be useful in practice. Industrial ap- 
plications are as old as |Bru97] where MTS have been used for an air-traffic 



system at Heathrow airport. Besides, MTS are advocated as an appropriate 
base for interface theories in [RBB+09] and for product line theories in |Nym08| . 
Further, MTS based software engineering methodology for design via merging 
partial descriptions of behaviour has been established in UC 04]. Mor eover, the 
tool support is quite extensive, e.g. |BLS95IDFFU07IBMLlJlBCKll] . 

MTS consist of a set of states and two transition relations. The must tran- 
sitions prescribe which behaviour has to be present in every refinement of the 
system; the may transitions describe the behaviour that is allowed, but need not 
be realized in the refinements. This allows for underspecification of non-critical 
behaviour in the early stage of design, focusing on the main properties, verifying 
them and sorting out the details of the yet unimplemented non-critical behaviour 
later. 

Over the years, many extensions of MTS have been proposed. While MTS 
can only specify whether or not a particular transition is required, some ex- 
tensions equip MTS with more general abilities to describe what combinations 
of transitions are possible. Disjunctive MTS (DMTS) LX90J can specify that 
at least one of a given set of transitions is present. One selecting MTS }FS08j 
allow to choose exactly one of them. Boolean MTS (BMTS) [BKL+11| cover 
all Boolean combinations of transitions. The same holds for acceptance au- 
tomata Rac07 and Boolean formulae with states [BDF + , which both express 



the requirement by listing all possible sets instead of a Boolean formula. Para- 
metric MTS (PMTS) [BK L + llj add parameters on top of it, so that we can also 
express persistent choices of transitions and relate possible choices in different 
parts of a system. This way, one can model hardware dependencies of transitions 
and systems with prices |BKL + 12 . 



Our contribution In this paper, we investigate extensions of MTS with re- 
spect to two notions of refinement. The modal refinement is a syntactically de- 
fined notion extending on the one hand bisimulation and on the other hand 
simulation. Similarly to bisimulation having a counterpart in trace equivalence, 
here the counterpart of modal refinement is the thorough refinement. It is the 
corresponding semantically defined notion relating (by inclusion) the sets of im- 
plementations of the specifications. 

We focus both on theoretical and practical complexity of the refinement prob- 
lems. While modal refinement on MTS and disjunctive MTS can be decided in 
polynomial time, on BMTS and PMTS it is higher in the polynomial hierarchy 
(n 2 and I?4, respectively). The huge success of SAT and also QBF solvers in- 
spired us to reduce these refinement problems to problems solvable by a QBF 
solver. We have also performed experimental results showing that this solution 
scales well in the size of the system as well as in the number of parameters, while 
a direct naive solution is infeasible. 

Further, we extend the decis ion algor ithm for thorough refinement checking 
over MTS JBKLS12J and DMTS |BCK10J to the setting of BMTS and PMTS. We 
show how PMTS can be translated to BMTS and BMTS can then be transformed 
to DMTS. As we can decide the problem on DMTS in EXPTIME, this shows 
decidability for BMTS and PMTS, but each of the translations is inevitably 



exponential. However, we show better upper bounds than doubly and triply 
exponential. To this end, we give also a direct algorithm for showing the problem 
is in NEXPTIME for BMTS and 2-EXPTIME for PMTS. 

Since the thorough refinement is EXPTIME-hard for already MTS, it is 
harder than the modal refinement, which is in P for DMTS and in II4 for PMTS. 
Therefore, we also investigate how the thorough refinement can be approximated 
by the modal refinement. While underapproximation is easy, as modal refine- 
ment implies thorough refinement, overapproximation is more difficult. Here we 
extend our method of the deterministic hull for MTS |BKLS09j to both BMTS 
and PMTS. We prove that for BMTS modal and thorough refinements coincide 
if the refined system is deterministic, which then yields an overapproximation 
via the deterministic hull. Finally, in the case with PMTS, we need to overap- 
proximate the behaviour dependent on the parameters, because the coincidence 
of the refinements on deterministic systems fails for PMTS. 

Our contribution can be summarized as follows: 

— We reduce the problem of modal refinement over BMTS and PMTS to a 
problem solvable by a QBF solver. We provide promising experimental re- 
sults showing this solution scales well. 

— We extend the algorithm for thorough refinement on MTS and DMTS to 
BMTS and PMTS providing better complexity then via translation of these 
formalisms to DMTS. This also shows (together with results on modal re- 
finement) that we can make use of the more compact representation used in 
the formalisms of BMTS and PMTS. 

— We investigate the relationship between modal and thorough refinement on 
BMTS and PMTS. We introduce approximation methods for the thorough 
refinement on BMTS and PMTS through the modal refinement. 

Related work There are various other approaches to deal with component re- 
finements. They range from subtyping LW94 over Java modelling language [JP01J 
to interface theories close to MTS such as interface automata [dAHOlj . Similarly 
to MTS, interface automata are behavioural interfaces for components. However, 
their composition works very differently. Furthermore, its notion of refinement is 
based on alternating simulation AHKV98 , which has been proved strictly less 
expressive than MTS refinement — actually coinciding on a subclass of MTS — in 
the paper [LNW07 , which combines MTS and interface automata based on I/O 
automata |Lyn88 . The compositionality of this combination is further investi- 
gated in [RBB+llj . 

Further, opposite to the design of correct software where an abstract ver- 
ified MTS is transformed into a concrete implementation, one can consider 
checking correctness of software through abstracting a concrete implementation 
into a coarser system. The use of MTS as abstractions has been advocated 
e.g. in |GHJ01j . While usually overapproximations (or underapproximations) of 
systems are constructed and thus only purely universal (or existential) properties 
can be checked, [GHJ01 shows that using MTS one can check mixed formulae 
(arbitrarily combining universal and existential properties) and, moreover, at the 



same cost as checking universal properties using traditional conservative abstrac- 
tions. This advantage has been investigated also in the context of systems equiva- 
lent or closely related to MTS |HJS01IDGG97INam03IDN04IGGLT09IGNRT10| . 
MTS can also be viewed as a fragment of mu-calculus that is "graphically 
representable" |BL90lBDF + j . The graphical representability of a variant of al- 
ternating simulation called covariant-contravariant simulation has been recently 
studied in jAFdFE+ll] , 

Outline of the paper In Section |2j we recall the formalism of MTS and the 

extensions discussed. Further, in Section [31 we recall the modal refinement prob- 
lem. We reduce it to a QBF problem in Section|4] In Section [5] we give a solution 
to the thorough refinement problems. Section m\ investigates the relationship of 
the two refinements and how modal refinement can approximate the thorough 
refinement. We conclude in Section 

2 Modal Transition Systems and Boolean and Parametric 
Extensions 

In this section, we introduce the studied formalisms of modal transition sys- 
tems and their Boolean and parametric extensions. We first recall the standard 
definition of MTS: 

Definition 2.1. A modal transition system (MTS) over an action alphabet E 
is a triple (S, —■*, — >), where S is a set of states and — > C --■» C S x £ x S 
are must and may transition relations, respectively. 

The MTS are often drawn as follows. Unbroken arrows denote the must (and 
underlying may) transitions while dashed arrows denote may transitions where 
there is no must transition. 

Example 2.2. The MTS on the right is adapted from [BKL+11] and models 
traffic lights of types used e.g. in Europe and in North America. In state green 
on the left there is a must transition under ready to m 

state yellow from which there is must transition to 
red. Here transitions to yellowRed and back to green 
are may transition. Intuitively, this means that any fi- 
nal implementation may have one or the other transi- 
tion or both or none. In contrast, the must transitions 
are present in all implementations. 

Note that using MTS, we cannot express the set 
of implementations with exactly one of the transitions 
in red. For that, we can use Boolean MTS [BKL + llj instead, which can express 
not only arbitrary conjunctions and disjunctions, but also negations and thus 
also exclusive-or. However, in Boolean MTS it may still happen that at first 
only transition to green is present, but in the next round of the traffic lights 
cycle only the transition to yellowRed is present. To make sure the choice will 



remain the same in the whole implementation, parametric MTS have been in- 
troduced [BKL+11] extending the Boolean MTS. 

Before we define the most general class of parametric MTS and derive other 
classes as special cases, we first recall the standard propositional logic. A Boolean 
formula over a set X of atomic propositions is given by the following abstract 
syntax 

(p ::= tt | x | -«p | tp A ip | ip V ip 

where x ranges over X. The set of all Boolean formulae over the set X is denoted 
by B(X). Let v C X be a valuation, i.e. a set of variables with value true, then 
the satisfaction relation v \= p is given by v |= tt, v |= x iff X G ^, and 
the satisfaction of the remaining Boolean connectives is defined in the standard 
way. We also use the standard derived operators like exclusive-or p © ip := 
(ip A -tip) V {—up A ip), implication ip =>■ ip :— -tip V ip and equivalence ip <^> "0 := 
(^V^)A (ipV-^'ip). 

We can now proceed with the definition of parametric MTS. In essence, it 
is a labelled transition system where we can specify which transitions can be 
present depending on values of some fixed parameters. 

Definition 2.3. A parametric modal transition system (PMTS) over an action 
alphabet £ is a tuple (S, T, P, <P) where 

— S is a set of states, 

— TC_SxSxSisa transition relation, 

— P is a finite set of parameters, and 

— <P : S — > B((U X S) U P) is an obligation function over the outgoing tran- 
sitions and parameters. We assume that whenever (a, t) occurs in 'P(s) then 
(s,a,t) E T. 

A Boolean modal transition system (BMTS) is a PMTS with the set of parame- 
ters P being empty. A disjunctive MTS (DMTS) is a BMTS with the obligation 
function in conjunctive normal form and using no negation. An implementation 
(or labelled transition system,) is a BMTS with <P(s) = A, a t -. €T (a,t) for each 
seS. 

An MTS is then a BMTS with ^(s) being a conjunction of positive literals 
(some of the outgoing transitions), for each s G S. More precisely, --■> is the 
same as T, and (s, a, t) <G — > if and only if (a, t) is one of the conjuncts of ^(s). 

Example 2.4- An example of a PMTS which captures the traffic lights used 
e.g. in Europe for cars and for pedestrians is depicted below. Depending on the 
valuation of parameter reqYellow, we either always use the yellow light between 
the red and green lights, or we never do. The transition relation is depicted using 
unbroken arrows. 




Parameters: P = {reqYellow} 

Obligation function: 

<I>(green) = ({stop, red) © (ready, yellow)) 

l\(reqYellow <^> (ready, yellow)) 
$ (yellow) = (stop, red) 
<P(red) = ((go, green) © (ready, yellowRed)) 

l\(reqYellow <^> (ready, yellowRed)) 
<!> (yellowRed) = (go, green) 



3 Modal Refinement 

A fundamental advantage of MTS-based formalisms is the presence of modal 
refinement that allows for a step-wise system design (see e.g. jAHL + 08| ). We 
start with the standard definition of modal refinement for MTS and then discuss 
extensions to BMTS and PMTS. 

Definition 3.1 (MTS Modal Refinement). For states s and t of MTS 
(Si, — >i, —+i) and (S2, — >2, — *2)> respectively, we say that Sq modally refines 
t , written s <m ^0; if ( s o>to) * s contained in a relation R C Si X S2 satisfying 
for every (s,t) £ R and every a £ S: 

1. if s — +1 s' then there is a transition t --+2 t' with (s',f) £ R, and 

2. if t — ^2 t' then there is a transition s — ->i s' with (s',t') £ R. 

Intuitively, s < m t iff whatever s can do is allowed by t and whatever t requires 
can be done by s. Thus s is a refinement of t, or t is an abstraction of s. Further, 
an implementation of s is a state of an implementation (labelled transition 
syste m) with i < m s. 

In [BKL + llj . the modal refinement has been extended to PMTS (and thus 
BMTS) so that it coincides on MTS. We first recall the definition for BMTS. To 
this end, we set the following notation. Let (S, T, P, <P) be a PMTS and v C P 
be a valuation. For s £ S, we write T(s) — {(a, t) \ (s, a, t) £ T} and denote by 

Tran I/ (s) = {E £ T(s) \ E U v \= $(s)} 

the set of all admissible sets of transitions from s under the fixed truth values 
of the parameters. In the case of BMTS, we often write Tran instead of Tran0. 

Definition 3.2 (BMTS Modal Refinement). For states s a andt of BMTS 
(Si,Ti,0,#i) and (52,^2,0,^2); respectively, we say that Sq modally refines to, 
written so < m to, if (so,to) is contained in a relation R C Si x S2 satisfying for 
every (s,t) £ R: 



VM £ Tran(s) : 3N £ Tran(i) 



V(o, s') £ M : 3(o, t')£N : (s' , t') £ R A 
V(a, t')£N : 3(a, s') £ M : (a', t') £ R . 
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For PMTS, we propose here a slightly altered definition, which corresponds 
more to the intuition, is closer to the semantically defined notion of thorough 
refinement, but still keeps the same complexity as established in |BKL + 11| . We 
use the following notation. For a PMTS M = (S,T,P,4>), a valuation v C P 
of parameters induces a BMTS M? = (S, T,$,<P') where each occurrence of 
p £ v in <P is replaced by tt and of p ^ ^ by -rfct, i.e. #'(s) = #(s)[tt/p for p £ 
f, ff/p for p^ !/] for each s £ S. We extend the notation to states and let s u 
denote the state of M. u corresponding to the state s of A4 . 

Definition 3.3 (PMTS Modal Refinement). For states s a and t of PMTS 
(Si,T\,Pi,<I>i) and (£2>?2,P2,^2), we say that sq modally refines to, written 
so <m to, if for every fi Q P\ there exists i/CP 2 such that Sq < m ig. 

Before we comment on the difference to the original definition, we illustrate 
the refinement on an example of [ BKL + 11 where both definitions coincide. 



Example 3.4- Consider the rightmost PMTS below. It has two parameters, namely 
reqYfromG and reqYfromR whose values can be set independently and it can 
be refined by the system in the middle of the figure having only one parameter 
reqYellow. This single parameter simply binds the two original parameters to 
the same value. The PMTS in the middle can be further refined into the im- 
plementations where either yellow is always used in both cases, or never at all 
as discussed in the previous example. Up to bisimilarity, the green state of this 
system only has the two implementations on the left. 



^ 



Parameters: P = {reqYellow} Parameters: P = {reqYfromR, reqYfromG} 



<„ 





6 \P* Obligation function: 

<P(green) = ((stop, red) © (ready, yellow)) 
f\(reqYellow <=> (ready, yellow)) 

<P(yellow) = (stop, red) 

<P(red) = ({go, green) © (ready, yellowRed)) 
A(reqYellow •&■ (ready, yellowRed)) 

<P(yellowRed) = (go, green) 



Obligation function: 

<P(green) = ((stop, red) © (ready, yellow)) 

A(reqYfromG <=> (ready, yellow)) 
<P(yellow) = (stop, red) 
0(red) = ((go, green) © (ready, yellowRed)) 

A(reqYfromR O (ready, yellowRed)) 
<P(yellowRed) = (go, green) 



The original version of [BKL + llj requires for so < m ^o to hold that there be 
a fixed R C S\ x S2 such that for every fiC.Pi there exists v C P 2 satisfying 
for each (s. t) G R 

\/M € Tran^s) : 3N G Tran^(t) : V(a,s') G M : 3(a,t') G N : (s',f) G R A 

V(a,0 G N : 3(a,s') G M : {s f ,t f ) G R . 
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Clearly, the original definition is stronger: For any two PMTS states, if sq < m to 
holds according to |BKL + llj it also holds according to Definition 3.3 Indeed, 



the relation for any sets of parameters can be chosen to be the fixed relation R. 
On the other hand, the opposite does not hold. 

Example 3.5. Consider the PMTS on the left with parameter set {p} and obli- 
gation <P{s ) = (a, si), <P(si) = (6, s 2 ) ^ P,^(s 2 ) = tt and the PMTS on the 
right with parameter set {q} and obligation <P(t ) — ((a,ii) <=> q) A ((a,ti) <=> 
-*q), #(ti) = (a,i 2 ),^(^2) = &(t'i) — tt- O n the one hand, according to our 
definition so <m to. We intuitively agree it should be the case (and note they 
also have the same set of implementations). On the other hand, the original 
definition does not allow to conclude modal refinement between sq and io. The 
reason is that depending on the value of p, S\ is put in the relation either with t\ 
(for p being true and thus choosing q true, too) or with t' x (for p being false and 
thus choosing q false, too). In contrast to the original definition, our definition 
allows us to pick different relations for different parameter valuations. 





We propose our modification of the definition since it is more intuitive and for 
all considered fragments of PMTS has the same complexity as the original one. 
Note that both definitions coincide on BMTS. Further, on MTS they coincide 
with Definition |3.1| and on labelled transition systems with bisimulation. 



4 Modal Refinement Checking 

In this section, we show how to solve the modal refinement problem on BMTS 
and PMTS using QBF solvers. Although modal refinement is /^-complete (the 
second level of the polynomial hierarchy) on BMTS and /Incomplete on PMTS 
(see |BKL + lip . this way we obtain a solution method that is practically fast. We 
have implemented the approach and document its scalability on experimental 
results. 

As mentioned, in order to decide whether modal refinement holds between 
two states, a reduction to a quantified boolean formula will be used. First, we 
recall the QBF decision problems. 

Definition 4.1 (QBF®). Let Ap be a set of atomic propositions, which is parti- 
tioned into n sets with Ap = [J i=0 X i; and <f> S B(Ap) a boolean formula over this 
set of atomic propositions. Let Q € {V, 3} be a quantifier and : {V i— > 3, 3 H- V} 
a function. Then a formula 

— — I (~j if ji 25 odd 

QX 1 QX 2 QX 3 . . . QX n cj> with Q = iZ. \ 

\Q if n is even 



is an 



instance of QBF® if it is satisfiable. 



Satisfiability means that if e.g. Q = 3 there is some partial valuation for the 
atomic propositions in X±, such that for all partial valuations for the elements 
of X 2l there is another partial valuation for the propositions of X 3 and so on up 
to X n , such that </> is satisfied by the union of all partial valuations. It is well 
known that these problems are complete for the polynomial hierarchy: For each 
i > 1, QBFf is .^-complete and QBF^ is ilj-complcte. 

4.1 Construction for BMTS 



Due to the completeness of QBF problems and the results of |BKL + 11 , it is 



possible to polynomially reduce modal refinement on BMTS to QBF 2 . However, 
we would then have to perform a fixpoint computation to compute the refinement 
relation causing numerous invocations of the external QBF solver. Hence it is 
faster to guess the relation and thus reduce the modal refinement only to QBFf. 

Let s € Si andi £ S 2 be processes of two arbitrary BMTSs M i = (Si,Ti, 0,#i) 
and M 2 — (S 2 ,T 2 ,$,<1> 2 ). Furthermore let 

Ap = (St x S 2 ) W Ti W (Si x T 2 ) 

Xji X*ri Xt2 

be a set of atomic propositions. The intended meaning is that (u, v) £ Xr is 
assigned tt if and only if it is also contained in the modal refinement relation 
R. Further, Xti and Xj> 2 are used to talk about the transitions. The prefix 
Si is attached to the set T 2 because N £ Tran(i) with t £ S 2 must be chosen 
independently for different states of Si . This trick enables us later to pull up the 
3 quantification in the formula. 

We now construct a formula Wsj £ B(Ap) satisfying 

s< m t iff 3X R VX T1 3X T2 V Stt £QBFi (1) 

To this end, we shall use a macro i]) u v capturing the condition which has 
to be satisfied by any element (u, v) £ R. Furthermore, we ensure that (s, t) is 
assigned tt by every satisfying assignment for the formula by placing it directly 
in the conjunction: 

#.,t = (M)A /\ ((u,i;)=^„,„) (2) 

(u : v)£X R 

It remains to define the macro ip u .v We start with the modal refinement 
condition as a blueprint: 



VM £ Tran(u) : 3N £ Tran(u) : V(a, v!) £ M : 3{a, v') £ N : (vf, v') £ R A 

V(a, v') £ N : 3(a, v!) £ M : (vf, v') £ R . 

As M and N are subsets of Ti(u) and T 2 (v), respectively, and are finite, 
the inner quantifiers can be expanded causing only a polynomial growth of the 



formula size (see Appendix |A| . Further, Tran sets are replaced by the original 
definition and the outer quantifiers are moved in front of & St t- As the state 
obligations are defined over a different set of atomic propositions (&(v) G B((Sx 
S) U P) % B(Ap)), a family of mapping functions ir p is introduced. 

7T P : B{S xS)4 B{Ap) 
tt h+tt 
(a. x) *-¥ {jp, a, x) with a G S, x G S 

lfilAip 2 ^ n p (tpi) A TT p (ip 2 ) 

ipiV ip 2 ^ n p (ipi) V TT p (ip 2 ) 
A applying these steps to the blueprint yields the following result: 

ipu,v = T« (#1 («)) =► 7r«,-K (#2 («)) A ip UtV (4) 

¥>«,„ = A( u *^ V («*A(«'y))) 



it*=(M,a,w ) u* = (u,v,a,v ) 



(5) 



A A( v *^ V («* A («',«'))) 

u* = (UjV,a,v ) tt* = (it, a, it ) 

Theorem 4.2. For states s,t of a BMTS, we have 

s<mt iff 3X R \fX T1 3X T2 ^ t eQBFi 
Due to space constraints, the technical proof is moved to Appendix [Aj 

4.2 Construction for PMTS 

We now reduce the modal refinement on PMTS to QBF%, which now corre- 
sponds directly to the complexity established in |BKL + 11) . Nevertheless, due 
to the first existential quantification in V3V3 alternation sequence, we can still 
guess the refinement relation using the QBF solver rather than compute the 
lengthy fixpoint computation. 

In the PMTS case, we have to find for all parameter valuations for the system 
of s a valuation for the system of t, such that there exists a modal refinement 
relation containing (s, t). We simply choose universally a valuation for the param- 
eters of the left system (the underlying system of s) and then existentially for the 
right system (the underlying system of t). Prior to checking modal refinement, 
the valuations are fixed, so the PMTS becomes a BMTS. This is accomplished 
by extending Ap with Pi and P 2 and adding the necessary quantifiers to the 
formula. Thus we obtain the following: 

Theorem 4.3. For states s,t of a PMTS, we have 

s< m t iff ^P 1 3P 2 3X R ^X T1 3X T2 ^ s>t g QBFt 
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4.3 Experimental Results 

We now show how our method performs in practice. We implemented the reduc- 
tion and linked it to the QBF solver Quantor. In order to evaluate whether our 
solution scales, we generate random samples of MTS, disjunctive MTS, Boolean 
MTS and parametric MTS with different numbers of parameters (as displayed 
in tables below in parenthesis). For each type of system and the number of 
reachable states (25 to 200 as displayed in columns), we generate several pairs 
of systems and compute the average time to check modal refinement between 
them. 

We show several sets of experiments. In Table [II we consider (1) systems 
with alphabet of size 2 and all states with branching degree 2, and (2) systems 
with alphabet of size 10 and all states with branching degree 10. Further, in 
Table [2] we consider systems with alphabet of size 2 and all states with branching 
degree 5. Here we first consider the systems as above, i.e. with edges generated 
randomly so that they create a tree and with some additional "noise" edges thus 
making the branching degree constant. Second, we consider systems where we 
have different "clusters" , each of which is interconnected with many edges. Each 
of these clusters has a couple of "interface" states, which are used to connect to 
other clusters. We use this class of systems to model system descriptions with 
more organic structure. 

The entries in the tables are average running times in seconds. The standard 
deviation in our experiments was around 30-60%. Each star denotes that on 
one of five experiments, the QBF solver Quantor timed out after one minute. 
The experiments were run on Intel Core 2 Duo CPU P9600 2.66GHz x 2 
with 3.8 GB RAM using Java 1.7. For more details and more experiments, 
see http: //www. model . in.tum.de/~kretinsk/ictacl3 .html. 

Table 1. Experimental results: systems over alphabet of size 2 with branching degree 
2 in the upper part, and systems over alphabet of size 10 with branching degree 10 in 
the lower part 





25 


50 


75 


100 


125 


150 


175 


200 


MTS 


0.03 


0.15 


0.29 


0.86 


0.87 


0.96 


1.88 


2.48 


DMTS 


0.04 


0.22 


0.39 


0.91 


1.13 


1.34 


2.61 


3.19 


BMTS 


0.03 


0.15 


0.30 


0.62 


0.83 


0.87 


1.61 


2.17 


PMTS(l) 


0.03 


0.20 


0.37 


0.84 


0.97 


1.23 


2.44 


3.15 


PMTS(5) 


0.04 


0.22 


0.42 


0.91 


1.26 


1.59 


2.83 


3.66 


MTS 


0.18 


0.84 


2.12 


3.88 


5.63 


7.64 


10.30 


14.18 


DMTS 


0.44 


2.23 


5.31 


8.59 


10.13 


14.14 


13.96 


66.92 


BMTS 


0.21 


1.08 


2.65 


4.58 


6.70 


9.63 


12.44 


17.06 


PMTS(l) 


0.26 


1.12 


2.74 


4.57 


7.58 


10.31 


11.26 


16.41 


PMTS(5) 


0.25 


1.17 


2.94 


6.36 


7.80 


10.01 


11.90 


36.51 




75 100 125 

t-PMTS[5) 10 

BMTS 10 

>— PMTS[5) 2 

■-BMTS 2 



On the one hand, observe that the number of parameters does not play any 
major role in the running time. The running times on PMTS with 5 or even more 
parameters are very close to BMTS, i.e. PMTS with zero parameters, as can be 
seen in the graph. Therefore, the greatest theoretical complexity threat — the 
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Table 2. Experimental results: systems over alphabet of size 2 with branching degree 
5; systems with random structure in the upper part, and systems with organic structure 
in the lower part 





25 50 75 


100 125 150 175 200 


PMTS (1) 


0.34 2.04 5.38 


8.81 11.78 17.41 27.33 58.06 


PMTS (5) 


0.29 1.83 *5.19 


12.79 15.71 26.60 *35.30 89.25 


PMTS (10) 


*0.43 1.36 6.70 


13.66 *18.27 *21.10 51.67 232.83 


PMTS (1) 


0.05 0.14 0.18 


0.30 3.40 0.73 0.85 0.96 


PMTS (5) 


0.02 0.04 0.23 


0.70 0.58 0.39 1.13 *2.35 


PMTS (10) 


0.02 0.10 0.16 


*0.16 *0.29 1.55 0.97 1.13 



number of parameters allowing in general only for searching all exponentially 
many combinations — is in practice eliminated by the use of QBF solvers. 

On the other hand, observe that the running time is more affected by the 
level of non-determinism. For branching degree 10 over 10-letter alphabet there, 
there are more likely to be more outgoing transitions under the same letter 
than in the case with branching degree 2 over 2- letter alphabet, but still less 
than for branching degree 5 over 2- letter alphabet. However, the level of non- 
determinism is often quite low BKLS09 , hence this dependency does not pose 
so serious problem in practice. Further, even this most difficult setting with high 
level of non-determinism allows for fast analysis if systems with natural organic 
structure are considered, cf. upper and lower part of Table [2] 

A more serious problem stems from our use of Java. With sizes around 200, 
the running times often get considerably longer, see the tables. Here the memory 
management and the garbage collection take their toll. However, this problem 
should diminish in a garbage-collection-free setting. 

5 Thorough Refinement Checking 

While modal refinement has been defined syntactically, there is also a corre- 
sponding notion defined semantically. The semantics of a state s of a PMTS is 
the set of its implementations [s] := {i | i is an implementation and i < m s}. 

Definition 5.1 (Thorough Refinement). For states s^ and to of PMTS, we 
say that sq thoroughly refines to, written sq <t to, if [so] ^= Pol- 

5.1 Transforming PMTS to BMTS and DMTS 

The thorough refine ment pro blem is EXPTI ME-com plete for MTS JBKLS12) 
and also for DMTS |BCKll| (for proof, see (BCKIOJ ). First, we show how to 
transform PMTS to BMTS and DMTS and thus reduce our problems to the 
already solved one. 

For a PMTS, we define a system where we can use any valuation of the 
parameters: 
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Definition 5.2. For a PMTS M = (S,T,P,<P) with initial state s , we define 
a BMTS called de-parameterization M B = ({sq } U S x 2 P , T", 0, &) with initial 
state Sq and 

- T = {(sf,o, (*,i/)) I (*o,o,a) er/C P}u{((s,i/),a,(s» | {s,a,s') e T}, 

- &( s o) = $(s )[tt/p for p ev,H/p for p <£ v,(s,v)/s], 

v<ZP 

- <p'((s,v)) = <P(s)[tt/p for p£i/,ff/p for p £v,{s,v)/s\. 

The de-parameterization is a BMTS having exactly all the implementations 
of the PMTS and only one (trivial) valuation. 

Proposition 5.3. Let Sq be a PMTS state. Then [so] = \sq\ and s^ < m Sq . 

Proof. For any parameter valuation v we match it with and the modal refine- 
ment is achieved in the copy with v fixed in the second component. Clearly, any 
implementation of s^ corresponds to a particular parameter valuation and thus 
also to an implementation of So- □ 

Remark 5.4- The price we have to pay is a blowup exponential in \P\. This is, 
however, inevitable. Indeed, consider a PMTS ({so, si, S2}, {(so,P, s%), (si,p, S2) | 
p € P}, P, {s , si i-> f\ P ep(P' s ) ^ P' s 2 !-> tt}). Then in every equivalent BMTS 
we need to remember the transitions of the first step so that we can repeat ex- 
actly these in the following step. Since there are exponentially many possibilities, 
the result follows. 

Further, similarly to Boolean formulae with states in jBDF + j . we can trans- 
form every BMTS to a DMTS. 

Definition 5.5. For a BMTS M. = (S,T, 0,$) with initial state so, we define 
a DMTS called de-negation M D = (S",T',0,<P') 

- S' = {M e Tran(s) | s e S}, 

- &{M) = A {a>s , )eM \/ M , eTrania/) (a,M'), 

and T' minimal such that for each M e S' and each occurrence of (a, M') in 
<P(M), we have (M,a,M') G T . 

However, this DMTS needs to have more initial states in order to be equiv- 
alent to the original BMTS: 

Lemma 5.6. For a state s of a BMTS, [s ] = lVeT*an( So ) I M 1 (where M are 
taken as states of the de-negation) . 

Note that both transformations are exponential. The first one in \P\ and the 
second one in the branching degree. Therefore, their composition is still only 
singly exponential yielding a state space where each state has two components: 
a valuation of original parameters and Tran of the original state under this 
valuation. 
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Theorem 5.7. Thorough refinement on PMTS is in 2-EXPTIME. 

Proof. Recall that thorough refinement on DMTS is in EXPTIME. Further, note 
that we have reduced the PMTS and BMTS thorough refinement problems to the 
one on DMTS with more initial states. However, this does not pose a problem. 
Indeed, let sq and to b e states of a BMTS. We want to check whether sq <t to- 
According to [BCKlOj where DMTS only have one initial state, we only need 
to check whether for each M G Tran(so) we have (M, Tran(io)) ^ Avoid, which 
can clearly still be done in exponential time. □ 

5.2 Direct algorithm 

We now extend the approach for MTS and DMTS to the BMTS case. Before 
proceeding, one needs to prune all inconsistent states, i.e. those with unsatisfiable 
obligation. This is standard and the details can be found in Appendix [B| 

We define a set Avoid, which contains pairs consisting of one process and one 
set of processes. A pair is contained in the relation if there exists an implemen- 
tation refining the single process, but none of the other processes. This approach 
is very similar to JBKLS12] . but the rules for generating Avoid are much more 
complex. 

Definition 5.8. (Avoid) Let (S, T, 0, <£) be a globally consistent BMTS over the 
action alphabet S. The set of avoiding states of the form (s,T), where s € S and 
T C S , is the smallest set Avoid such that (s,T) G Avoid whenever T = or 
there exists an admissible set of transitions M G Tran(s) and sets later a , u j £ S 
for every a G S, u G S, f G Ute-r Tran(t) such that 

Vi G T : VN t G Tran(i) : 3a G £ : 

3* G JVt(o) : Vs Q G M{a) : V/ G (J Tran(t) : t a G later ■„,.„,/ 

teT 
V 3s a G M(a) : Vt a G N t (a) : t a G later a , Sa ,N t 

V/ G M Tran(i) : V(a,s a ) G M : (s a , later a ,s a ,f) G Avoid 
teT 
hold. 

Lemma 5.9. Given processes s,t\,t2 ■ ■ ■ t n of some finite, global-consistent BMTS, 
there exists an implementation I such that I < m s and I ^~ m ti for all i G [1, n] 
if (s,{ti,t 2 ■ ■ .tn}) G Avoid. 

Theorem 5.10. Thorough refinement checking on BMTS is in NEXPTIME. 

Proof. For deciding s <t t the Avoid relation has to be computed, whose size 
grows exponentially with the size of the underlying system. Moreover, in each 
step of adding a new element is added to Avoid, the sets later a , s j need to be 
guessed. □ 
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6 Thorough vs. Modal Refinement 

In this section, we discuss the relationship of the two refinements. Some proofs 
are moved to Appendix O Firstly, the modal refinement is a sound approxima- 
tion to the thorough refinement. 

Proposition 6.1. Let sq andto be states of PMTS. If sq < m to then also sq <t 
t . 

Proof. For any i € [soj, we have i < m sq and due to transitivity of < m , i < m 
so <m to implies i < m to, hence i £ [to]- □ 

The converse fails already for MTS as shown in the following classical example 
QBKLS09 ) where s <t t , but s ^m to- 

a 



so 

V J 



Sl 

V J 



S2 

^ J 



t. 



to 



1 
V J 



t-2 



t'l 



However, provided the refined MTS is deterministic, the approximation is also 
complete [BKLS09J. This holds also for BMTS. This is very useful as determin- 
istic system often appear in practice [BKLS09J and checking modal refinement 
is computationally easier than the thorough refinement. Formally, we say that 
a PMTS (S,T,P,<P) is deterministic if for every (s,a,t),(s,a,t') e T we have 
t = t'. 

Proposition 6.2. Let sq be a PMTS state and to a deterministic BMTS state. 
If So <t to then also so < m to- 

However, the completeness fails if the refined system is deterministic but with 
parameters: 

Example 6.3. Consider a BMTS {{so, si}, {so,a, si},0,{s o >-* tt,si H> tt}) and 
a deterministic PMTS ({t , ti}, {(t , a, ti)}, {p}, {t Q i-Jo^j),*^ tt}) below. 
Obviously [so] = [to] contains the implementations with no transitions or one 
step a-transitions. Although sq <t to, we do not have so < m to as we cannot 
match with any valuation of p. 



«o 

V ) 



S\ 



to 

V J 



t 



tl 



{h, P = u) 



$(t ) = a^p 



<L>{t^) = (a & tt) V (a <=> tt) 



Corollary 6.4. There is a state Sq of a PMTS and a state to of a deterministic 
PMTS such that sq <t to but so ^ m ^o- 

In the previous example, we lacked the option to match a system with differ- 
ent parameter valuations at once. However, the de-parameterization introduced 
earlier is non-deterministic even if the original system was deterministic. Hence 
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the modal refinement is not guaranteed to coincide with the thorough refinement. 
In BKLS09 , we defined the notion of deterministic hull, the best deterministic 
overapproximation of a system. The construction on may transitions was the 
standard powerset construction and a must transition was created if all states 
of a macrostate had one. Here we extend this notion to PMTS, which allows to 
over- and under-approximate the thorough refinement by the modal refinement. 

Definition 6.5. For a PMTS M = (S,T,P,$) with initial state s , we de- 
fine a PMTS called deterministic hull V(M) = (2 s , T , P,&) with initial state 
T>(sq) := {sq} and 

— T = {(S,a, S a } where S a denotes all a-successors of elements of S, i.e. 
S a = { S '|3se5:( S , fl , S ')eT)}, 

— <P'(S) = \J seS $(s)[(a, S a )/(a, s) for every a, s] . 

Proposition 6.6. For a PMTS state So, T>(sq) is deterministic and sq < m 
-D(so). 

We now show the minimality of the deterministic hull. 

Proposition 6.7. Let s be a PMTS state. Then 

— for every deterministic PMTS state to, if sq < m to then T>(sq) < m to; 

— for every deterministic BMTS state to, if sq <t to then T>(sq) < m to- 

The next transformation allows for removing the parameters without introducing 
non-determinism. 

Definition 6.8. For a PMTS M — (S, T, P, <P) with initial state sq, we define a 
BMTS called parameter-free hull V{M) = {S, T, 0, $') with initial state V(s ) := 
So and 

$'( s ) = V ^( s )I tt /p f or p e ^ff/p f or P i v \ 

v<ZP 

Lemma 6.9. For a PMTS state s , s a < m sf < m V(s ). 

The parameter-free deterministic hull now plays the role of the deterministic 
hull for MTS. 

Corollary 6.10. For PMTS states s Q and t a , if s <t to then s < m V(V(t )). 



Proof. Since sq <t ^o, we also have so <t 2?(to) by Propositions pT6| and 6.1 



Therefore, sq <t ^(^(^o)) by Proposition 6.9 and thus sq < m T > (T>{to)) by 



Proposition |6.2| D 
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7 Conclusions 

We have investigated both modal and thorough refinement on Boolean and para- 
metric extension of modal transition systems. Apart from results summarized in 
the table below, we have shown a practical way to compute modal refinement 
and use it for approximating thorough refinement. Closing the complexity gap 
for thorough refinement, i.e. obtaining matching lower bounds or improving our 
algorithm remains as an open question. 



<♦ 



refined system deterministic 
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Appendix: Proofs 



A Modal Refinement Checking: Proof of Theorem 4.3 



Before proving the soundness and the correctness of the construction for BMTS, 
a lemma is introduced to simplify this proof. 

Lemma A.l. Let be [s,t) G S\ x S2 a pair of states. Let be Ax R , Ax T1 and 
Ax T2 partial valuations for the sets of atomic propositions appearing in their 
indices. Furthermore let be R C S± x S2, M G Tran0(s) and N G Trang(t) sets. 
If Ax R = R, Ax T1 =3 n s (M) and Ax T2 =? ^s.t (N) holds, then Ax R U Ax T i U 
Ax T 2 N Vs,t if and only if 

RUML>N\= V(a, a') G M : 3(a, t') G N : (s', t') G i? 
A V(a, t')GN : 3(a, s') G M : (s', i') G # 

Proof. We assume the conditions and set .Ax = -Ax R U Ax T1 U -Ax T2 an d Ar = 
K U M U AT. Additionally, we only consider one half of the conjunction, as the 
other is proven analogously. 



An |= V(a,s') G M : 3(a,t') e N : (s 1 ,t') e R 

iff A B , h A (( fl < s ') eM ^ V (( fl > e N A ( s '' f ' e fi ))) 

(a,s')6Ti(«) (o,t')er 2 (t) 

*# ^1= A( s *^ V c* A (*',*'))) 

s* — (s,a,s') i* — (s,t,a,t ) 



As M and A" are finite sets, V and 3 quantifiers may simply be expanded. In 
the second step we simply apply 7r and substitute £ with atomic propositions. 

□ 

A relation satisfying the conditions of the definition of the modal refinement 
is called a modal refinement relation. 

Soundness and Correctness 'If part (soundness of the construction). Assume 
s < m t with the modal refinement relation R. As the partial valuation for Xr, 
we set Ax R = R- Furthermore let Ax T \ Q Xtx be an arbitrary assignment. We 
now construct an assignment Ax T2 > such that 



A = A Xr U Ax T1 U Ax T2 h #i 



s.t 



holds. Without adding anything to Ax T21 clearly A \= (s,t) and A |= (u,v) 
ip UyV for all (u, v) G Xr n R hold. 
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Let now (u,v) £ R be an arbitrary pair of states. If A ty= ir u (^( w )): then 
A |= ipu,v an d A \= (u,v) => 4>u,v Hence we assume now A |= n u (<P(u)). 
Since (u, v) £ R, there exists for all M £ Trang(u) a set N, such that the 
condition holds, which is included in the assignment Ax T2 =2 ^u,v (X). This can 



safely be done due to the prefixing and with Lemma A.l we get A \= f u ,v and 
A \= (u,v) =4- ip UtV . 

As a valuation A can be constructed for a fixed modal refinement relation, 
such that for all subsets of Xj<i it satisfies the formula, 3XfjVXr 1 3Xy 2 l ? r s,t € 
QBFJ 5 holds. 

'Only-If part (correctness of the construction). We now assume 

3X Ii yX T1 3X T 2^s,t e QBFf 

Then there exists a partial valuation -Ax R C A for Ar, which satisfies ty s ,t- R is 
simply constructed by setting R — Ax H - Clearly (s,t) £ R. Let now (u,v) £ R 
be an arbitrary pair of states. As Q is satisfied for this pair, either <P(u) is 
unsatisfiable and there simply exists no M £ Trang (s) o r for the chosen M = 

the modal refinement 



A.f 



tt u 1 (Ax T i) exists a N — ir u },(Ax T2 )- By Lemma 

condition holds for this arbitrary pair. Hence R is a modal refinement relation 

Polynomial Runtime of the Reduction We show that the reduction indeed 
takes only polynomial time. For this observe that ^ is in 0(\ Ti(u) || T2(v) |). 
Therefore @ is in 0{\ T x (u) \\ T 2 (v) | + | $ x (u) \ + | $ 2 {v) |). Leading to a 
total formula size of 

o(|5i||5 2 | (iTiHTal + l^l + l^l)) 

B Thorough Refinement 

B.l Pruning 

Now the preprocessing is formally introduced. Basically, we prune all the "in- 
consistent" states. 

Definition B.l (Consistency). A state s of a BMTS is called locally consis- 
tent if<P(s) is satisfiable, otherwise it is called locally inconsistent. If all states of 
a BMTS are locally consistent, the BMTS is called locally consistent. A state s 
of a BMTS is called globally consistent if it has an implementation, i.e. [s] ^ 0. 

Lemma B.2. // (S, T, 0, <P) is a globally consistent BMTS, then for all s £ S: 

VM £ Tran (s) : 3/ e [s] : ^{s) = M 

Proof. Assume the conditions of the lemma. As the BMTS is globally consistent, 
for all s £ S the set Trang(s) is non-empty. Let now s £ S be an arbitrary 
state and M £ Tran0(s) an arbitrary set of admissible transitions. We define 



20 



an implementation (5/,T/,0,#/) with Sj = {ti \ t G S}, T I (s I ) = M and 
for all ti € S \ {si} and some N G Trang^j-) we set Ti(ti) = N. As e.g. 
i? = {(tj,t) | £ G S} is a suitable modal refinement relation, s/ < m s holds.. □ 

Corollary B.3. If a state of a BMTS is locally consistent, it is also globally 
consistent. 



Proof. As the system is globally consistent, lemma B.2 is applicable. Because 
Traii0(s) is non-empty for every s G S, there is at least one implementation 
refining s. Thus [s] ^ 0. □ 

As one may have already noted, a locally inconsistent s G S of some system 
cannot have any implementation, as Trari0(s) is empty. This is captured by the 
following lemma. 

Lemma B.4. Removing a locally inconsistent state s G S from a BMTS does 
not change the semantic [£] of any other process t G S \ {s} 

Proof. As the obligation of the state s is unsatisfiable, Trang(s) is empty Hence 
the modal refinement condition is always violated if the left system is locally 
consistent, which holds for implementations. Therefore, (u, s) $ R for any state 
u of an implementation. Removing the state from the system never affects the 
modal refinement relation, thus never changes the semantic of any other process 
of the system. □ 

However, please note that while removing states from a system does not affect 
the semantic of other states, it still can make them locally inconsistent. As a 
preprocessing step, before constructing the Avoid relation, one has to remove all 
locally inconsistent states until the system becomes globally consistent. If one 
of the states, for which thorough refinement should be decided, is removed, the 
decision becomes trivial. If the the left one is inconsistent, the refinement holds. 
In the other case it does not. 

B.2 Bounded Refinement 

In the course of the proof of Lemma |5.9| we use a bounded version of definition 



3.2 which coincides in the limit with the normal definition of modal refinement. 



Definition B.5 (Bounded Modal Refinement). Let Mi = (Si,Ti,Pi,#i) 
and M 2 = (5 2 , T 2 , P 2 , $2) be two PMTS. A binary relation R™ M QS 1 xS 2 {n£ 
No) is a bounded modal refinement relation under two fixed valuations /i C P\ 
and v C P 2 if either n — O, then _R° v = S\ X S 2 , or if for every (s,t) G RT^, 1 
holds 

VM G Tran p (s) : 3N G Tran,, (t) : 

V (a, s') e M : 3 (a, t') € N : (s 1 , t') G B^ v 
A V (a, t 1 ) e N : 3 (a, s') G M : (s' , t') G #™ u 
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We say that s n-bounded modally refines t, denoted by s <J^ t, if for all (iCfj 
there exists a modal refinement relation R™ v with some v C P 2 such that (s,t) £ 

cm 

Lemma B.6. On finite PMTS modal refinement and bounded modal refine- 
ment coincide, meaning s < m t if and only if s <J^ t for all n £ Nq. 

Proof. 'If part. Let's assume s <J^ t for all n € No- Then there exists for every 
fJ- C Pi a nonincreasing series of sets Rfl „, Rz „, R 2 v . . . with the bounded modal 
refinement definition applied each time and in all these sets is (s, t) contained. 
Every iteration of the bounded modal refinement definition will cither remove at 
least one element or remove nothing and stabilize. As the underlying PMTS is 
finite, this series is stable after at most \S\ x S 2 \ iterations and R^v — R\j,,li* 3 
(s, t) is a sufficient modal refinement relation for fi and v. As this is applicable 
for every /z C P 1; s < m t holds. 

'Only-If part. Let's assume s < m t. Then there exists for every /1 C P x a 
modal refinement relation with (s,t) £ R^^- Let now R? ,R} , R 2 . . . be 
a nonincreasing series of sets with each time the bounded modal refinement 
definition applied. Clearly for all i € No : (s, t) 6 R^,,v Q R l u v ^ s this this can 
be done for every /1 C ? 1; we have s <^ t for all n e No. □ 



B.3 Proof of Lemma 15.91 

First, we state a trivial technical claim. 

Claim. Avoid is downward closed, i.e. 

(s, T) E Avoid =^> VT' C T : (s, T') G Avoid 



Proof (of Lemma \5.S\ ). 'If part (soundness of the construction). As Avoid is de- 
fined as smallest set, let Avoido, Avoidi, Avoid 2 ■ ■ ■ denote the non-decreasing 
sequence of sets leading to Avoid by applying the definition each time. We ini- 
tialize Avoido with (s,0) for all s £ S. We prove by induction on n that, when- 
ever (s,T) £ Avoid n , there exists an implementation / such that / < m s and 
Vi G T : / ^ m t. 

The base case n = is trivial, as T — the underlying BMTS is globally 
consistent and by corollary |B.3| there is an implementation / for s. For the 
induction step assume (s,T) € Avoid n+ i. 

As (s, T) <E Avoid n+ i there exists sets M £ Trari0(s) and later a ,s',f such that 
the conditions of the definition hold. By the second part of the condition and the 
induction hypothesis, for all (a, s') £ M and / there exists an implementation 
Ia,s',f with I a ,s'j £m s' and I a ,s',f ^m t! for all t' £ later a>s ij. We now construct 
a new implementation /, such that / < m s and / ^ m t for all t £ T '. We simply 
take the disjoint union of the previously mentioned I a , S 'j, add a new state / 
with new transitions (1 ', a, I a , s ' ,/) for every (a,s') £ M and /. 

We now show that indeed I < m s and I ^ m t for all t € T holds. The first 
claim trivially holds by construction. For the second claim, let us consider some 
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arbitrary t £ T . Then for each N £ Tran(i) there exists a particular action 
a££, for which one of the disjunctions holds. 

Whenever the first is true then either M(a) is empty, which is a violation of 
the modal refinement condition, or there exists if £ N(a), which is contained in 
later a ^ s i j for each s' £ M(a). Since I a ,s',f ^m if the modal refinement condition 
is violated. 

Whenever the second is true then again either N(a) is empty, which is a direct 
violation of the modal refinement definition, as t cannot match the move of I, or 
there exists as'e M(a), such that 7^ N(a) C later a , s ',f- Since I a ,s',f ^m f for 
all if £ later a ,s',f) (Ia.s',f,t') is never contained in a modal refinement relation. 
As I a ,s'j is by construction an o-successor of /, the modal refinement condition 
is violated for (I,t). Therefore the second claim holds. 

'Only-IP part (completeness of the construction). We prove by induction on 
n, that whenever there exists an implementation I with I < m s and I ^™ t for 
all t £ T then (s,T) € Avoid. After that, lemma p3~6| is applied. The base case 
n — is trivial, as all pairs of processes are refining each other, hence T = and 
by definition (s,T) £ Avoid. 

For the induction step assume the existence of an implementation I, such 
that / < m s and I i^ff" 1 ^ f° r a ^ ^ G T. As / is an implementation, Tran(J) is a 
singleton and Nj £ Tran(J) is unique. Furthermore as I < m s holds, there exists 
by definition N s £ Tran(s), such that for all a £ £ 

1. Vs a G N s (a) : 3I a £ N^a) : I a < m s a 

2. V/ a G TV/ (a) : 3s a £ N s (a) : I a < m s a 

To show that (I,T) £ Avoid n +i we set M :— N s . For each / G lJ te7 -Tran(i) 
and each (a, s') £ N s , we define later a ,a',f such that the conditions are satisfied. 
We set 

later a , s >,f := {*' | 3* G T BN t £ Tran(t) : if £ N t (a)A (*) 

V/' G Nj(a) : I' ^™ if 
Vf = N t A 31' £ JVj(a) : I* < m s' A Vt" G N t (a) : I' ^ t"} 

Let t £ T and N £ Tran(i) be arbitrary but fixed. As / ^m +1 *) ^ or some 
a £ S, there is a violation of the modal refinement definition, such that one of 
the cases hold: 

1. 7V/(a) = 0AiV t (a)^0 

2. 7V 7 (a)^0A7V f (a) = 

3. 3t a £ N t (a) : V7 a G JV 7 (o) : 7 a ^^ *a 

4. 3/ Q G A^j (a) : Vi a G iV t (o) : J„ ^^ t„ 

If the third holds, then due to the first disjunct of (*) we can satisfy the first 
disjunct of Definition by giving the same t a . If the fourth holds, then due to the 
second disjunct of (*) we can satisfy the second disjunct of Definition for any s' 
with I' < m s' (there is one due to 2.). 

Finally, to prove that (s a , later a ,s a ,f) has a n-step distinguishing implemen- 
tation it is sufficient to take I' of the second disjunct. 

□ 



23 



C Thorough vs. Modal Refinement 
C.l Proof of Proposition |6.2| 



Proof. We fix a valuation v of parameters and define a relation R that satisfies 
the condition of Definition 13.21 The relation R is taken as the smallest relation 
such that (sq,£ ) e -^ an d whenever (s,t) G i?, (s, a, s') G T and (t,a,t') G T 
then also (s',f) G -R. Before we prove that R satisfies the conditions, we make 
the claim that (s,t) G R implies s < t t. Clearly, this holds for (so,to). Suppose 
now that s < t t, (s,a, s'),(t,a,t') G T and i' is an arbitrary implementation 
of s' . Then there exists an implementation i G [s] such that i — > i' . But as 
s < t t, i is also an implementation of t. Therefore, as t is deterministic, i' is 
an implementation of t' , thus s' <t £'. We can now check that R satisfies the 



condition of Definition 3.2 Let (s,i) G R and M G Trans. Define A := {a \ 
3s' : (a, s') G M}. There is an implementation i with exactly transitions under 
A. Moreover, according to the assumption it also an implementation of t. Hence 
N := {(a, t') | (t, a, t') G T A a G A} is an element of Tran(t). The two conjuncts 
then clearly hold by construction of R. □ 

C.2 Proof of Proposition |6.6| 

Proof. As the transition system of T>(A4) is created by the powerset construction, 
it is clearly deterministic. We prove that so < m T>(so). Since both systems 
have the same parameter set, for any valuation of parameters of M. we can 
choose the same valuation for V(A4). Further, we define relation R such that 



(s, S) G i? iff s G S and show that the condition of Definition 3.2 is satisfied. Let 
(s,S) G R. For M G Tran(s), we set N := M[(a,S a )/(a,s')}. Since Tran(S') = 
{J seS Tran(s)[(a, S a )/(a, s')], we have N G Tran(S'). We check the two conjuncts. 
Whenever there is (a, s') G M then (a, S a ) G N and s' G S a hence (s', S a ) G i?. 
Whenever there is (a, Sa) G N we have the respective (a, s') G M with by 
construction of N. Further, s' G S a hence (s', S a ) £ R. O 



C.3 Proof of Proposition |6.7| 

Proof. Assume to deterministic state of a PMTS Af with s <m to- Therefore, 
there for every valuation fj, there is a valuation v and the greatest relation i? Mll / 



containing (sq,£q) an d satisfying the condition of Definition 3.2 We show that 
2}(so) < m ^o by choosing for every [i the same v and constructing a new rela- 
tion Q^j, between states of T)(A4)^ and M v that also satisfies this condition as 
follows: 

(S, t) G Q MlV if and only if ^ S C {s | (s, i) G i? M ,^} 

We now check the condition. Since (sojio) G i? Mjt /, we have (2?(so) M ,to) = 
{{s }v,t ) = ({s^t }) G Qw Let now (5,*) G Q Mt „ and M G Tran(5). Hence 
there is s G S with M' G Tran(s) with M = M'[(o,5 )/(a,s') for every o,s']. 
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Since (s, t) £ R^. V: there is N £ Tran(i) matching M'. We show it also matches 
M. Let (a,S a ) £ M. There is unique (due to determinism) (a, t') £ N and 
further (S a ,t') £ Q^^ as each s a £ S a modally refines the only a-successor 
of t, thus (s a ,t') £ i? M .„. Similarly, let {a, if) £ Tran(t). Then there is unique 
(a,S r ) £ Tran(5), namely (a,S a ). For the same reasons as above (s a ,t') £ R^^ 
for every s a £ S a . 

The minimality for BMTS holds w.r.t. both thorough and modal refinements 
as they coincide when the refined system is a deterministic BMTS. □ 



C.4 Proof of Proposition 6.9 



Proof. First, observe that for any parameter valuation v, the identity relation 



satisfies the condition of Definition 3.2 for Sq and V{sq). Indeed, for any M £ 



Tran(s) we also have M £ Tran("P(s)). Similarly, {((s,v),s) \ s £ S,v C P}U 
{(sq ,V(sq))} satisfies the condition for Sq and 'P(sq). □ 
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